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Abstract 

We present a randomized algorithm that on input a finite field K with q elements and a positive 
integer d outputs a degree d irreducible polynomial in K[a;]. The running time is d^~^°^^^ x 
(log 5)'''+°'^^^ elementary operations. The o(l) in is a function of d that tends to zero 

when d tends to infinity. And the o(l) in (log is a function of q that tends to zero when q 

tends to infinity. In particular, the complexity is quasi-linear in the degree d. 

1 Introduction 

This article deals with the following problem: given a prime p, a power q = of p, a finite field 
K with q elements, and a positive integer d, find a degree d irreducible polynomial in K[a;]. We 
assume that the finite field K is given as a quotient / pZ)[z] / h{z) where h{z) is a degree w uni- 
tary irreducible polynomial in (Z/pZ)[2;]. The complexity of algorithms will be evaluated in terms 
of the number of necessary elementary operations. Additions, subtractions and comparisons in K re- 
quire 0(log q) elementary operations. Multiplication and division require (log q) x (log log 
elementary operations ^ 

A classical approach to finding irreducible polynomials consists in first choosing a random poly- 
nomial of degree d and then testing for its irreducibility. The probability that a polynomial of degree 
d be irreducible is > l/{2d). See Lidl and Niederreiter [11, Ex. 3.26 and 3.27, page 142] and Lemma 
4 of Section 7.3 below. In order to check whether a polynomial f{x) is irreducible, we may use 
Ben-Or's irreducibility test [2]. This test has maximal complexity (log q)'^~^°W x ^2+0(1) elementary 
operations while its average complexity is (log 5)^+"*^^^ x d^~^°^^^ elementary operations according 
to Panario and Richmond [12]. The average complexity of finding an irreducible polynomial with 
this method is thus x (log elementary operations. All the known algorithms have a 

quadratic factor at least in d. A survey can be found in the work of Shoup [14, section 1.2]. It seems 
difficult to improve on these existing methods as long as we use an irreducibility test. 

So we are driven to consider very particular polynomials. For example, Adleman and Lenstra [1] 
construct irreducible polynomials in this way. Their method is deterministic polynomial time, under 
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the Riemann Hypothesis. It uses Gauss Periods. In Section 2 we recall how efficient such methods 
can be for very special values of the degree d. We reach quasi-linear complexity in d when d = £^ isa 
power of a prime divisor £ of p{q — 1). Section 3 explains how to construct a degree did2 irreducible 
polynomial once given two irreducible polynomials of coprime degrees di and ^2- We explain in 
Sections 4 and 5 how to construct irreducible polynomials using isogenics between elliptic curves. 
Thanks to this new construction, we reach quasi-linear complexity in d when d = £^ is a power of a 
prime £ and £ does not divide p{q — l). Putting everything together, we obtain a probabilistic algorithm 
that finds a degree d irreducible polynomial in K[x] at the expense of d^'^"^^^ x (log q)^~^°W elemen- 
tary operations, without any restriction on d nor q. Our constructions are summarized in Section 6 and 
Theorem 1 . In Section 7 we state several useful preliminary results about finite fields, polynomials 
and elliptic curves. 

Remark: One may wonder if the algorithms and complexity estimates in this paper are still valid 
when the base field is not presented as a quotient {Z / p'Ij)[z] / {h{z)) . Assume for example that ele- 
ments in K are represented as vectors in (Z/pZ)^. Assume we are given the vector corresponding 
to the unit element 1. Assume also we are given a black box or an algorithm that computes multi- 
plications and divisions of elements in K. In this situation, before applying the algorithms presented 
in this paper, we should first construct an isomorphism between the given K and a quotient ring of 
the form {Z/pZ)[z]/{h{z)). To this end, we first look for a generator r of the (Z/pZ)-aIgebra K. 
We pick a random element r in K. The probability that r generates K over Z/pZ is at least 1/2 
according to lemma 4 of Section 7.3. We compute the powers r'^ for ^ A; ^ w. These are w + 1 
vectors of length w. We compute the kernel of the corresponding matrix in Myjx(w+i){'^/p'^)- If the 
dimension of this kernel is bigger than 1 then r is not a generator, so we pick a different r and start 
again. If the kernel has dimension 1 we obtain the minimal polynomial h{z) G (Z/pZ)[z] of r, and 
an explicit isomorphism k from K = (Z/pZ)[2;]/(/i(z)) onto K. All this requires 0{w) operations 
in K and 0{w^) operations in Z/pZ. Given any degree d irreducible polynomial f{x) in K.[x] we 
deduce an irreducible polynomial in K[a;] by applying the isomorphism k to every coefficient in f{x). 
This requires dw^ operations in Z/pZ. So our algorithms and complexity estimates remain valid in 
that case, as long as elementary operations in K can be computed in time (logq)^^°^^^ elementary 
operations. This includes all the reasonable known models for finite fields, including normal bases 
and towers of extensions. 

Notation: if K is a field with characteristic p and g is a power of p, we note $g : K — >^ K the 
morphism which raises to the g-th power. If G is an algebraic group over K we note (pq : G ^ G^'^'^ 
the Frobenius morphism. 

Acknowledgements: we thank K. Kedlaya for pointing his joint work with Umans [9] to us, and 
H. Lenstra for explaining to us how to save a log q factor in the complexity using [7]. 

2 Basic constructions 

In this section K is a finite field with q = p^ elements and J7 is an algebraic closure of K. For every 
positive integer k, we denote by F^^ the unique subfield of 17 with p^ elements. We explain how to 
quickly construct a degree d irreducible polynomial when d is a prime power £^ and £ divides p{q—l). 
All the constructions in this section are knovm, but deserve to be quickly surveyed. Section 2. 1 deals 
with the case £ = p. Section 2.2 deals with the case when f is a prime divisor of {q — 1). Section 2.3 
is concerned with the special case £ = 2 and q odd. In Section 2.4 we detail on a simple example how 
Gauss periods can be useful in some cases. Although the results in Section 2.4 are not necessary to 
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prove Theorem 1, several ideas at work in this section play a decisive role later in the slightly more 
advanced context of Section 5. 

2.1 Artin-Schreier towers 

In this section we are given a p-th power d = and we want to construct a degree d irreducible 
polynomial in K[a;]. We use a construction of Lenstra and de Smit [6] in that case. If k and I are two 

positive integers such that divides /we define the polynomial T;^fc(x) = x+x^' +xP^'^ +■ ■ -H-x^^^ ' . 
For every positive integer k we denote hy Ak C CI the subset consisting of all scalars a G O such that 
the three following conditions hold true: 

1. a generates F^*, over Fp i.e. ¥p{a) = ¥pk , 

2. a has non-zero absolute trace: Ti^fc(a) / 0, 

3. has non-zero absolute trace: ri^fe(a~^) 7^ 0. 

We set I(X) = xp-i j^as rational fraction induces an unramified covering 

I -.n-Fp^n - {0}. 

We check that I~^{Ak) C Apt for every A; > 1. Indeed, if a G .4^ and if I{b) = a then b ^ 1 

and 

1 _ 1 _ bP-b _b + --- + bP-^ _ _^ 
{l-b)P~ l-b~ {b- ~ bP-1 ~^ ' 

So 1/(1 — 6) is a root of the separable polynomial x^ — x = . This polynomial is irreducible 

over ¥pk [x] because the absolute trace of is non-zero. So ¥p{b) = ¥ppk. Further 6 is a root of the 

polynomial x^ — a{xP~^ -| \-x) — l. So the trace Tk^pk{b) of b relative to the extension ¥ppk /¥pk is 

a. As a consequence the absolute trace of b is Ti^pk{b) = Ti^k{Tk,pk{b)) = Ti^kio) the absolute trace 
of a; and it is non-zero. Now b~^ is a root of the reversed polynomial x^ + a{xP~^ -I- ■ ■ • -I- x) — 1. So 
the trace of b~^ relative to the extension ¥ppk /¥pk is —a. As a consequence the absolute trace of b~^ 
is the opposite of the absolute trace of a; and it is non-zero. 

Since Ai = ¥p — {0} we deduce that ij^Apk > {p — In particular the fiber above 1 of 

the iterated rational fraction I^^^ is irreducible over Fp. If w is prime to p then this fiber remains 
irreducible over K = Fg. In general, we factor the degree w of ¥q/¥p asw = p^w' where w' is prime 
to p. We first look for an element a G Ape c ¥q. Using the remarks above we can find such an a by 
solving e Artin-Schreier equations with coefficients in ¥q. To this end, we write down the matrix of the 
Fp-linear map x 1-^ — x in the Fp-basis {l,z,. . . , z'^~^) of K = (Z/pZ) [z]/{h{z)). We then solve 
the e corresponding Fp-Unear systems of dimension w. Altogether, finding a requires 0{w x logp) 
operations in K and 0{ew^') operations in Fp. Since w = 0(log q) and e = 0(log w) = 0(log log q) 
we end up with a complexity of (log q)^~^°W elementary operations. 

The fiber I~^{a) is a degree p^ irreducible divisor over F^pe . It remains irreducible over K = ¥q. 
There remains to compute the annihilating polynomial of this fiber. We compute the iterated rational 
fraction I^{x) = Composition of polynomials and power series can be computed in quasi- 

linear time i.e. x (log elementary operations, using recent results by Umans and 

Kedlaya [15, 9]. See Corollary 2 in Section 7.5 below. An older algorithm due to Brent and Kung has 
exponent -I- o(l) where 00 is the exponent in matrix multiplication. So we can compute A^(x) and 
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D{x) at the expense of x (logq)^+°^^^ = x (logg)^+°(^) elementary operations. The 

polynomial f{x) = N{x) — aD{x) is an irreducible degree d polynomial in K[x]. 

An example: We take p = 2, q = A, 5 = 2 and d = 4. We assume K = ¥2[z]/{z^ + z + 1). So 
e = 1. We know that 1 G Ai. We set a = z mod + z + 1 and check that I{a) = 1. So a G A2- 
We compute I{I{x)) = ^ and set f{x) = x^ + x'^ + 1 — a{x^ + x). This is an irreducible 

polynomial in K[a:]. 

2.2 Radicial extensions 

In this section £ is a prime dividing g — 1. Let d = for some positive integer 5. In the special case 
^ = 2 we further ask that i'^ = 4 divide q — 1. We want to construct a degree d irreducible polynomial 
in K[a;]. This is a very classical case. We write q — 1 = i'^i' where £' is prime to £. We first look for 
a generator a of the £-Sylow subgroup of F*. To find such a generator, we pick a random element in 

F* and raise it to the power £'. Call a the result. Check that a^" ^ 7^ 1. If this is not the case, start 

again. The probability of success is 1 — The average complexity of finding such an a is 0(log q) 
operations in F^. The polynomial f{x) = x'^ — ais irreducible in ¥q[x]. This is well know but we try 
to prove it in a way that will be easily adapted to a more general context later. 

The ^'^+^-torsion Gr„[£'^'^^] of the multiplicative group Gm is isomorphic to (Z/^'^+^Z, +) and the 
Frobenius endomorphism (pg : G„i ^ G„j acts on it as multiplication by q. The order ofq = l + £'£^ 
in {Ij/i^^^Z)* is = d. So the Frobenius acts transitively on the roots of f{x). 

An example: We take p = 5, q = 5, i = 2, S = 3 and d = 8. We check that 4 divides p ~ I. 
In particular e = 2 and £' = 1. The class a = 2 mod 5 generates the 2-Sylow subgroup of (Z/5Z)*. 
Indeed 2^ = 1 mod 5 and 2^ = -1 mod 5. We set f{x) = x^ -2. 

2.3 A special case 

In this section we assume that p is odd, £ = 2 and d = 2^ for some positive 6. We need to adapt the 
methods of Section 2.2 in that special case because the group of units in Z/dZ that are congruent to 
1 modulo £ is no longer cyclic when £ = 2 and 5 > 2. We want to construct a degree d irreducible 
polynomial in K[x] . This time we assume that 2^ does not divide q—1. So g is congruent to 3 modulo 
4. We set Q = q^ and observe that 4 divides Q — 1. 

We first look for a generator c of Fg over K = F^. For example we take c a root of the polynomial 
— r where r is not a square in K. If 5 = 1 we are done. Assume now 6 >2. We write Q — l = 2^£! 
where £! is prime to 2. We find a generator a of the 2-Sylow subgroup of Fg. The polynomial 
F{x) = x^/^ —a is irreducible in ¥q [x] . There remains to derive from F{x) an irreducible polynomial 
/(.t) of degree d in K[a;]. We call a = ^q{a) = a'^ the conjugate of a over F^. We can compute it 
at the expense of 0(log q) operations in K. It is clear that a ^ a because the order of a is divisible 
by 4 and there is no point of order 4 in dra^q)- The polynomial j{x) = (x"^/^ — a)(x'^/^ + a) has 
coefficients in K. It is irreducible over K. Indeed, any root b of a;^/^ — a is also a root of f{x). The 
field ¥q{h) generated by b over ¥q contains a and it has degree d/2 over F^(a) = ¥q because F{x) is 
irreducible in Fq[x]. So f{x) is irreducible in K[x]. 

An example: We take p = 7,q = 7,i = 2, 6 = 3 and d = 8. Since 4 does not divide g — 1 we 
set Q = q^ = 49. We factor 49 - 1 = 2"^ x 3 so e = 4 and f = 3. We check that r = 3 mod 7 is 
not a square in F7. So we set c = y mod j/^ — 3 G F7[y]/(y^ — 3). We set a = (1 + c)^ = 3 — c 
and check a}^ = 1 and = —1. We set F{x) = x'^ — a. We compute d = aJ = 3 + c. We set 
f{x) = {x^ — a)(x^ — d) = x^ + x^ — 1. This is an irreducible polynomial in F7[x]. 
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2.4 Gauss periods 

In this section we assume i = 3 and d = 3^ and p = q^3. We assume that 3 does not divide g — 1. 
So q is congruent to 2 modulo 3, and we cannot apply the method in Section 2.2. We experiment in 
this simple context an idea that will be decisive in Section 5. We base change to a small auxiliary 
extension. We set Q = and observe that 3 divides Q — 1. We shall deal with the field ¥q with 
Q elements. We note that this idea is valid for any prime i, but the degree of the auxiliary extension 
¥q /¥q might be quite large (up to ^ — 1) for a general i. This is the reason why we shall later need to 
adapt this construction to the context of Kummer theory of elliptic curve. 

We first need to build a computational model for this field. For example we pick a degree 2 
irreducible polynomial — riy + r2 in K[a;] and set L = K[?/]/(j/^ — ny + r2). We set c = 
y mod — riy + r2. We write Q ~ 1 = 3^i' where i' is prime to 3. We find a generator a of the 
3-Sylow subgroup of L*. The polynomial F{x) = x'^ — a is irreducible in L[x]. There remains to 
derive from F{x) an irreducible polynomial f{x) of degree d in K[x]. 

Let b = X mod F{x). This is a root of F{x) in 'L[x]/{F{x)). The later field has q^'^ elements. 
Recall $q is the application which raises to the g-th power. We have $q = $q. For any a G 
L[x]/F((a;)) we set Ei(a) = a + #^(a) and T,2{a) = ax $^(a). 

L[x]/(F(x)) ~ F 



L ~ ¥p2 




K ~Fp 



Since d is a prime power, at least one among Si(6) and T,2{b) generates an extension of degree 
d of ¥q. Otherwise Si (6) and S2(6) would both belong to the unique extension of degree d/3 of K 
inside Ij[x]/ F{{x)); and b would then belong to the degree d/3 extension of L inside L[x]/ {F{x)), a 
contradiction. See also Lemma 1 of Section 7.1. 

In other words, there exists ak G {1,2} such that the polynomial 

f{x)= n {x-^[mb))) 

O^l^d-l 

is irreducible of degree d in K[x] . 
Three questions now worry us: 

1. How to compute for A; G {1, 2} ? 

2. How to find the good integer k ? 

3. How to compute f{x) starting from F{x) ? 

• Question 1 boils down to asking how to compute ^g{b). A first method would be to compute 
as b'l'^ at the expense of 0(d\ogq) operations in L[x]/{F{x)). This would require O(logg) x 
(p+o{i) operations in K. This is too much for us. 
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Instead of that, we should remind of the geometric origin of the polynomial F{x). Indeed, b lies 
in Gm[5''+^]- We write q'^ = R mod 3^+'^ where R < 3'=+^ ^ Qd. Then ^>^(6) = can be 
computed at the expense of 0{logR) = 0{logq + logd) operations in L[x]/{F{x)). This requires 
O(logg) X operations in K. 

• Question 2 can be solved by comparing Si (5) and its conjugate by <I>^'' ^ namely 

= Ei(<-\6)) = <-\6) + ^f+''-\b). 
Each of the two terms in the above sum can be computed as explained in the paragraph above. 

• Question 3 is related to the following problem: we are given for A; G {1,2}. We know 
that Sfc(6) belongs to the degree d extension of K inside Ij[x]/{F{x)). We want to compute its 
minimal polynomial f{x) as a polynomial in K[a;] C L[x]. One can apply a general algorithm for 
this task, such as the one given by Kedlaya and Umans [15, 9]. See also Theorem 4 in Section 7.5 
below. They show that it is possible to compute this minimal polynomial at the expense of d^'^"^^^ x 
(log elementary operations. Thus the complexity is quasi- Unear in d. 

An example: We take p = g = 5, ^ = 3, (5 = 2, d = 9. So Q = 25, Q - 1 = 3 x 8, e = 1 and 
£' = 8. We check that r = 2 mod 5 is not a square. We set c = y mod — 2 G F5[?/]/(y^ — 2). 
We compute a = (1 + c)^ = 2 + 3c. We check = I and a / 1. We set F{xj = x^ — a 
and b = X mod F{x). We need to compute the conjugate of b above F59. This is 6^ . Remind b 
lies in Gm[27]. So we don't raise b to the power 5^^ brutally. We rather compute 5^ — 1953125 — 
-1 mod 27. So <I>59(6) = 1/6 = 2{y + 1).t'^ mod (x^ - 2 - 3y,y^ - 2,5). The product £2(6) = 1 
is not the good candidate. So we compute the characteristic polynomial of = 6 + 1/6 and find 
f{x) = x^ + x'^ + 2x^ + Ax+1 e F5[x]. 

3 Compositum 

In this section K is a finite field with q = elements and O is an algebraic closure of K. For every 
positive integer k, we denote by F^fe the unique subfield of O with p'' elements. We have seen in 
Section 2 how to construct an irreducible polynomial of degree d in K[x] when d is a prime power £^ 
and i divides p(g — 1). In Sections 5 and 4 we shall treat the case when d is a prime power ^-^and^ IS 
prime to p{q — 1). 

The last problem to be considered is thus the following one: given two irreducible polynomi- 
als fi{x) and f2{x) in K.[x] with coprime degrees di and d2, construct a degree did2 irreducible 
polynomial. 

Let «! G 17 be a root of fi{x). Let a2 G 17 be a root of f2{x). We first show that a.i + 02 
generates an extension of degree did2 of F^. Indeed, let $ G Gal(0/Fq) be an automorphism that 
fixes a\ + a2: 

$(ai + 02) = cti -I- a2 . (1) 

One deduces that $(ai) — ai = 0.2 — ^{02) is an element 7 of the intersection Fg of Fyd^ and 
Fgda- The order of $ acting on F^di divides di. So — cti = di^ = 0. We prove in the 

same way that d2j = 0. Since di and d2 are coprime we deduce that 7 = 0. Thus ^> acts trivially 
on F^di = Fg(ai) and on F^dj = ^q{(X2), therefore also on their compositum F^didj- So ai + 0:2 
generates this compositum. 

The same argument proves that a 102 generates F^d^dj . 
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It is thus enough to compute the minimal polynomial of the sum or the product of ai and a2- For 
this task, one may follow work by Bostan, Flajolet, Salvy and Schost [3], based on algorithms for 
symmetric power sums due to Kaltofen and Pan [5] and Schonhage [13]. See also [4]. This yields an 
algorithm with a quasi-linear time complexity in did2. 



4 Isogeny fibers 

In this section we show how to construct irreducible polynomials using elliptic curves. Let K be a 
field and let be an algebraic closure of K. Let E/K. be an elliptic curve given by the Weierstrass 
equation 

E/K : Y'^Z + aiXYZ + asYZ^ = + a2X^Z + a^XZ"^ + a^Z^ . 

We denote by O^; = [0 : 1 : 0] the origin of E and by a; = X/Z, y = Y/Z the affine coordinates 
associated with the projective coordinates [X : Y : Z]. 

Let E'/K. be another elliptic curve in Weierstrass form. We define X', Y', Z', a'l, a'2, a'^, a'^, Og, 
x', y', O' similarly. Let t/K : E/K. E'/K be a degree d separable isogeny. We assume that d 
is a positive odd number and the kernel Kcr /. is cycUc. Let T G E{^) be a generator of Ker t. Let 
il>t{x) G K[x] be the degree {d — l)/2 polynomial 

Mx)= n {oo-x{kT)). (2) 
There exists a degree d polynomial (f)t{x) G K[x] and a polynomial uj^(x, y) = ujq{x) + yu)i{x) G 



K[x, y] with degree liny such that the image of the point (x, y) by l is (x', y') where x' = 727^ and 



y' = ^/^^(/^^ ■ We call I{x) G K{x) the rational fraction I{x) = '^/j^- 

Now let ^ be a K-rational point on E' such that 2A / O' and let B G EiVL) be a point on E such 
that I{B) = A. We define the polynomial 

h,A{^) = U^) - x'{A)i;l{x) ^K[x\. 

This is a separable polynomial. Its roots are the x{B + kT) for ^ A; < (f. 
The map x : E{0.) — O — > 17 induces a Galois equivariant bijection between the fiber i~^{A) and 
the roots of f^^A{x). In particular, fi^A{x) is irreducible if and only if the fiber i^^{A) is. 

The residue ring of I~^{A) is K[x\ / {f ^^a{x)) and the class of y in this ring is given by equation: 

y'{A)i^Kx) - wo(a;) , . / N 

"•- — mod/t,AW- (3) 



UJl{x) 

The two questions that worry us are the following ones. 

• Can we compute fi,A{x) quickly, e.g. in quasi- linear time in d ? 

• Under which conditions is fi,A{x) irreducible ? 

These two questions are successively addressed in Sections 4.1 and 4.2. In Section 4.3 we deduce 
a fast algorithm that constructs a degree d irreducible polynomial in K.[x\ when K is a finite field with 
q = elements and d = is a power of a prime £ such that £ is prime to p{q — 1) and 4£ ^ gJ . 
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4.1 Calculation of the polynomial fi,A{x) 

For any geometrical point P G E{Cl), we denote hy Tp : E ^ E the translation by P. Let xphe 
the function x o t-p and similarly let yp be the function y o t-p. If P = kT, we moreover define 
Xk = XkT and = y^T- Recall d is assumed to be odd. In this section we present methods for fast 
construction of isogenics. Section 4.1.1 concerns isogenics with split cyclic kernel. We just recall 
Velu's formulae in that case. Section 4.1.2 recalls how one can take advantage of the decomposition 
of an isogeny into several ones with smaller degrees. This is particularly useful when E/K. has 
complex multiplication and the isogeny in question is the kernel isogeny associated to some power of 
an invertible prime ideal in the endomorphism ring of E. This idea is detailed in Section 4.1.3. 

4.1.1 Velu's isogenies 

In this paragraph, we assume that T is a K-rational point and i is the isogeny given by Velu's formulae 
[16]: 

x' = X+ ^ [Xk - 
^ 0<k<d 

y' = y+ ^ [vk- 

0<k<d 

We put some order in Eq. (4). We first express Xk in terms 

XkT X (x - x{kT)f = x{kT)x'^ + (03 + 2y{kT) + aix{kT)) y 

+ (a4 + alx{kT) + aia^ + 2a2x{kT) + aiy{kT) + x{kTf) xl 

+ al + aia3x{kT) + a^yikT) + a4x{kT) + 2ae. (5) 

We deduce that XkT + a^-fcT — 2x{kT) is equal to 

{6x{kTf + (a? + 4a2)x(fcr) + aios + 2a4)x7 - 2x{kTf + (aias + 2aA)x{kT) + a§ + 4a6 

One computes the rational fraction x' = ^4t\ using Eqs. (4) and (6) by gathering the terms 
relative to k and —k, with the help of a divide and conquer strategy. Complexity is quasi-linear in d. 
A similar calculation gives us the explicit form of y' = '^^^(^x) ' 

4.1.2 Composition of isogenies 

Assume d factors as did2- Then the degree d isogeny l : E ^ E' decomposes as /, = /,2 ° /-i where 
ii : E F is 3. degree di isogeny and ;,2 : F ^ £'2 is a degree d2 isogeny. The kernel of li is 
generated by d2T and the kernel of i2 is generated by ti{T). Let I{x) be the degree d rational fraction 
associated with l. Define similarly h{x) and hix). Then I{x) = l2{Ii{x)). We may then compute 
I{x) in three steps: first compute Ii{x), then compute hix), and finally compute the composition 
I = I20 Ii using work by Umans and Kedlaya [15, 9]. See Corollary 2 in Section 7.5. 

4.1.3 A special simple case 

We now assume that K is a finite field with q = elements. Let ipq : E ^ E he the Frobenius 
endomorphism of E and by t its trace. Let O be the quotient ring Z[X]/ (X^ — tX + q) and let a 



- x{kT)\ , 
-y{kT)] . 

of X and y, 
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be the class of X in O. We call e : O ^ End(£J) the ring monomorphism that sends a onto (pq. 
For every subset of O we define the kernel of in £' to be the intersection of all the kernels of the 
endomorphisms e(,s) for s G S. This is a subgroup scheme of E. We denote it by E[S\. Let £ be a 
prime not dividing p{q — 1). We assume that I divides the order q + l — toi -E(K). As a consequence 
^ is coprime to — 4g. 
We have 

X"^ -tX + q={X -1){X -q) mod I , 

because 1 — t + g is divisible by i and the product of the roots of X"^ — tX + q equals q. Furthermore, 
the roots 1 mod £ and q mod £ are distinct because £ does not divide q — 1. 

Let [ = {£,a — 1) be the prime ideal in O above £ and containing a — 1. This is an invertible 
ideal. It's kernel in E is E[i] (K) the rational part of the ^-torsion of E. 

Let m be a positive integer. According to Hensel's lemma, there exist two integers and /x^ in 
[0, £™[ such that Xm = 1 mod i, jirn = Q mod t and 

X'^ -tX + q={X- \m){X - fim) mod 

The ideal P of O is generated by £^ and a — Am- The kernel of l"^ in £^ is a cyclic group of order 
£^ inside £"($7). We denote by : E Em the quotient isogeny by £'[1™]. The elliptic curve Em 
is defined over K, a finite field with q elements. Let : O — > ETLd{Em) be the ring homomorphism 
that sends a onto the g-Frobenius endomorphism of E^. The two homomorphisms e and em are 
compatible with the isogeny in the sense that for every s in O one has em{s) = im° o i^. 
For every subset 5 of O we define the kernel of 5" in Em to be the intersection of all the kernels of the 
endomorphisms em{s) for s ^ S. This is a subgroup scheme of Em- We denote it by Em[S]. 

Using Lemma 2 of Section 7.2 we see that im+i '■ — ^ ^m+i decomposes as jm+i o I'm where 
jm+i : Em Em+1 is a degree £ isogeny with kernel Em.[i] = Em[£]{K). 

We denote by Im{x) G K(x) the degree rational fraction associated with im- We denote by 
Jm £ K.{x) the degree £ rational fraction associated with jm- We have ji = ti. So /i = Ji and 
Im = Jm ■ ■ ■ J2 ° Ji- Every rational fraction can be computed using the method of Paragraph 
4.1.1. The composition can be computed using the method in Paragraph 4.1.2. 

4.2 Irreducibility conditions 

We assume that we still are in the situation of Paragraph 4.1.3. We have a finite field K with q 
elements. We denote by p its characteristic. We have an elliptic curve E over K. We denote by 
(fq : E ^ E the Frobenius endomorphism of E and by t its trace. Let £ be a prime not dividing 
p{q — 1). In particular £ is odd. We assume that £ divides the order q + 1 — t of -E(K). We want 
to construct an irreducible polynomial f{x) G K[x] with degree d = £^. We factor q + 1 — t as 
q + 1 — t = £^£! where £! is prime to I. We use the notation introduced in Paragraph 4.1.3. 
There exist two integers Ae+5 and such that 

Ae+5 = 1 mod £^ , = q mod t , 

X^-tX + q = (X-Ae+5)(X-Me+6)modr+^ 

We write Xe+s = 1 + £^£" with £" prime to £. In the sequel we set A = Xe+s and fi = iXe+s- Let 
now 

^ = {d,a-X) = {£,a-Xf = [^. 
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This is an invertible ideal. Its kernel E[d] in E is the kernel of the isogeny is : E ^ Eg. The £- 
Sylow subgroup of ^'^(K) is the kernel of ["^ = a — 1) in Es and it is cyclic. Let be a generator 
of it. Let B G E{n) such that ls{B) = A. Then B generates the kernel of 1^+'' = ifq - A) in 
E. Especially, 

<Pq{B) = XB, (7) 

and the order of A = 1 + in {Z/^+^Z)* is d = e^. Thus, the Galois orbit of B has cardinaUty d 
and the polynomial /^^(X) is irreducible. 

4.3 Existence conditions 

Assume we are given a finite field K with characteristic p and cardinality q and an integer d = £^ such 
that £ is prime to p{q — 1). We look for a degree d irreducible polynomial in K[a;]. The construction 
in Section 4.2 requires an elUptic curve over K such that £ divides the cardinaUty g + 1 — t of E{K.). 
Is there any such elliptic curve ? How can we find it ? 

If ^ ^ 2y^ then there are at least two consecutive integer multiples of £ in the interval [q + 1 — 
2v^, q + I + 2y^]. At least one of them is not congruent to 1 modulo p. So there exists at least one 
elliptic curve with cardinality divisible by the prime £. 

We want to bound from below the number of such elliptic curves. We use the results of Lenstra [10] 
extended by Howe [7]. >From Theorem 2 and Corollary 1 of Section 7.4 we deduce that the propor- 
tion of Weierstrass elliptic curves over a finite field K with q element having order divisible by £ is 

up to an error term bounded in absolute value by We deduce that if 

M ^ (8) 

then this proportion is at least ^ . 

In that case, we can find such an elliptic curve in the following way: we pick a random Weier- 
strass elliptic curve over K. We compute its cardinality using Schoof 's algorithm at the expense of 
(log g)^+<'(^) elementary operations. If this cardinaUty is divisible by £ we are done. Otherwise we 
try again. The average number of trials is 0{£). The expected time to find the needed curve E is 
0{£{\og operations in K provided condition (8) holds true. 

The conclusion of this section is that we have a fast algorithm that constructs a degree d irreducible 
polynomial in K[a;] when K is a finite field with q = p^ elements and d = £^ is a. power of a prime £ 
such that £ is prime to p{q — 1) and 4£ ^ gJ . 

4.4 An Example 

We take p = 7, q = 7 and d = 5. The elliptic curve 

has got ten Fy-rational points. The point T = (6, 4) has order £ = 5. The group generated by T is 

{T) = {Oe, (6,4), (4,4), (4,3), (6,3)} . 
The quotient by (T) isogenous curve E' is given by Velu's formulae 

E' ■.y'^ = + 3X + 4:. 
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Moreover, Eq. (4) yields 



Qy + 6x'^ + 2x g 
(^ + 1)' 

x + 2 1 _ + + 2x^ + bx'^ + 4:X + 5 

{x + lf {x + 3f~ {x + 3f{x + lf 

There remains to choose a point A of order 5 in E'{¥7), for instance ^ = (1,1), and we finally obtain, 

f,,Aix) = x^ + x^ + 2 x^ + 5 x"^ + 4:x + 5 - {x + 3f {x + if = x^ + x^ + Ax"^ + x + 3 . 

5 Base change 

In this section K = {Z/pZ)[z]/{h{z)) is a finite field with q = elements. We still assume here 
that d = £^ is a power of a prime £ where £ is prime to p{q — 1). We look for a degree d irreducible 
polynomial in K[.t]. However, we no longer assume that 4i ^ q^. 

We adapt the main idea in Section 2.4 to the context of elliptic curves: we base change to a small 
auxiliary extension. 

Let n be the smallest integer coprime with £{£— 1) such that Q = q"' satisfies 4^ ^ Q4 . According 
to Iwaniec's result about Jacobsthal's problem [8] we haven= {log£f+°^^\ Let us remark that d is 
then coprime with Q — 1 too. 

Using e.g. the methods in Shoup [14] we find a degree n irreducible polynomial g{y) G K[y] . We 
set L = K.[y]/{g{y)). A basis of this (Z/pZ)-vector space is given by the z^y^ for ^ i < n and ^ 
j < w. Using the method explained in the introduction we find a generator r of the (Z/pZ) -algebra 
L. We compute also the minimal polynomial G {'L/p'L)[u\ of r. WesetL = (lj/p'L)[u\/ {h{u)). 
A basis of this (Z/pZ)-vector space is given by the u'^ for ^ < nw. We compute and store the 
matrix of the isomorphism k : L — >^ L that sends u mod h{u) onto r. This is a nw x nw matrix with 
entries in Z/pZ. We also compute and store the inverse of this matrix. The image K = k~^(K) of K 
by is the unique subfield with q elements inside L. 

The reason for introducing these two different models of the field with q^ elements is that, on the 
one hand, this field should be constructed as an extension of K because we shall have to descend to K 
later on; but on the other hand, the field with q^ elements should be also presented as a monogenous 
extension of "L/plj, because all the algorithms described and used so far (an in particular the algo- 
rithms due to Umans and Kedlaya) require that the base field be presented as a monogenous extension 
oil /pi. 

One can now apply the construction of Section 4 to L and obtain an irreducible polynomial F^^a{x) 
of degree d in L[a;], in time 

(logQ)5+°(i)d^+°(i) = {\ogqf+<^U^+<^^ 

elementary operations. 

Remind F^^a{x) is the minimal polynomial of x{B) where 5 is a geometric point of order £^~^^ ^ 
^Qd on an elhptic curve E over L. We also are given an integer A such that ^ A < i^^^ and 



, y + Qx^ + 2x ^ y + Ax^ + 2>x + h 

X = x-\ ^ 6 H ^ 4+ 

{x + lf {x + sf 



6y + 4x^ + 3a; + 5 
ix + 3f 

Using Eq. (6), we find an expression for x' in terms of x alone: 
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ipQ{B) = XB. (9) 
It remains to derive from an irreducible polynomial f{x) of degree d over K. 

We set a = x{B) € l^[x\/ {F^^a{x)). This is a root of Fi^^a{x)- Recall $q is the application which 
raises to the g'-th power. We have <I>q = <l>g. The field L[a;]/(F,^^(,T)) = L(a) is an extension of 
degree d of L. For any integer k between 1 and n, one denotes by SA;(a) the fc-th symmetric function 
of the conjugates of a over the subfield with q*^ elements: 

a, $^(a), ^f{a), ^^^-^^\a) . 

Since d is a prime power, we deduce from Lemma 1 of Section 7. 1 that at least one among these 
n symmetric functions generates the extension of degree d of K. In other words, there exists a k 
between 1 and n such that the polynomial 

/»= n {x - ^\{T.k{a))) 

is irreducible of degree d in K[x] C L[x] . 
Three questions now worry us. 

• How to compute S/, (q) and its conjugates ? 

• How to find the good integer k ? 

• How to compute f{x) e K[x] starting from Fi^^a{x) G L[a;] ? 
5.1 How to compute Sfc(a) and its conjugates ? 

First, let us note ai = ^*^(a) for every integer I and let us see how to compute one of these conju- 
gates.We first need to compute P = y{B) as an element in the residue ring L[x]/(F^^(a;)). For this, 
we use Eq. (3). 

Let now / be an integer between and dn — 1. We want to compute a; = ^^{a). We write 
I = r + ns with ^ r < n and ^ s < d. Then, 

We first compute $Q(a) = x{(Pq{B)) = x{X'^B) using Eq. (9). To this end, we write A* = 
R mod where ^ R < and we multiply the ^^+^-torsion point B £ E{L[x]/{F,^a{x))) 
by R using fast exponentiation. This is done at the expense of 0{logQ + logd) operations in 

L[x]/{F,,a{x)). 

One then raises ^q{c() to the q^-th power at the expense of at most nlogg operations modulo 
Fi,,a{x). Thus, each conjugate is computed at the expense of 

di+°«(logg)2+-«. 

elementary operations. 

To compute all the (Sfc(Q;))o<fc^rM one computes the n conjugates a, ^'^{a), $y'^(a), . . . , <l>g" ^^'^{cx) 
and one forms the corresponding polynomial of degree n. Altogether, the computation of the sym- 
metric functions {^k{o())o<k^n requires 

dl+°(l)(logg)2+°(l), 

elementary operations. 
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5.2 How to find the integer k ? 

One seeks an integer k between 1 and n such that Sjt(a) generates an extension of degree d of K.We 

know that there is at least one such integer. So we successively test all the k between 1 and n. As n is 
small, this is not a problem. We know that Sjt(a) generates the degree d extension of K if and only if 

<"\Sfc(a)) / Sfc(a) , 

where is the unique maximal divisor of d. This condition is equivalent to 

Efc(<-\a))^E,(«), 

or 

One computes the Sfc(a^5 i)'s in the same way as the Sfc(Q;)'s, following Section 5.1. It is then 
easy to compare and Sfe(a). 

One can thus find k in 

d'+<'\logqf+<'^ 

elementary operations. 

5.3 How to compute tlie cliaracteristic polynomial f{x) ? 

We now have an element Sfc(a) of L[x]/(F(,^^(x)) and we know that it actually belongs to the degree 
d extension of K. But this is not really visible because Sfc(Q;) is given in the basis 1, x, x'^~^ 
of L[x]/(Ft Still, the characteristic polynomial f{x) of Sfc(Q!) has coefficients in K C L. 

We compute this characteristic polynomial. We use a general algorithm for this task, such as the 
one appearing in recent work by Umans and Kedlaya [15, 9]. See Theorem 4 in Section 7.5. This 
algorithm requires x (log Qy~^°^^^ elementary operations. Finally, we apply the isomorphism 

K : L — ^ L to every coefficient in /(x) and we find a polynomial f{x) with coefficients in K C L. 
This polynomial is irreducible in K[a;]. 

6 Summary 

The following theorem summarizes our work in this paper. 

Theorem 1 There exists a probabilistic (Las Vegas) algorithm that on input a finite field K with 

characteristic p and cardinality q = p™, and a positive integer d, returns a degree d irreducible 
polynomial in \i.[x\. The algorithm requires d^^°^^^ x (logg)^"'"''^^) elementary operations. 

The statement above assumes that the finite field K is given in a reasonable way as explained in 
the introduction. The algorithms runs as follows. 

We first factor the degree dasd = Ui4'- This requires 0(d) elementary operations. Section 3 
shows that it suffices to find an irreducible polynomial of degree if for every i. 

So we may assume that d = isa prime power. 

If £ = p we use the construction in Section 2. 1 . 

If £ divides g — 1 we use the construction in Sections 2.2 and 2.3. 
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Assume now i is prime to p{q — 1). We find the smallest integer n such that n is coprime with 
— and Q = satisfies 

Using e.g. the methods in Shoup [14] we find a degree n irreducible polynomial g{y) € K[y]. 
We set L = 'K.[y\/ {g{y)). We find a generator r of the (Z/pZ) -algebra L. We compute the minimal 
polynomial G (Z/pZ)[m] of r. WesetL = {'L/p'L)[u\/{h{u)). We compute and store the matrix 
of the isomorphism k : L ^ L, and also its inverse. 

We pick random elliptic curves over L and compute their cardinalities until we find one with 
cardinality divisible by Let E be such a curve. Let t be its trace. 

We look for a point of order ^ in E{L) . To this end, we pick a random point in -E(L) and multiply 
it by (Q + 1 — t)/i. If the result is non-zero we are done. Otherwise we start again. 

Once we have found a point of order ^ in £'(L), we compute the associated degree £ quotient 
isogeny E Ei using Velu's formulae in Paragraph 4.1.1. 

We iterate the construction above and obtain a chain of 5 degree £ isogenics 

E — > El — > ■ ■ ■ — > Eg. 

We find a generator A of the £-Sylow subgroup of Esijj). We compute the polynomial G 
Ij[x] associated with the isogeny l : E ~^ Eg and the point A. To this end, we use the methods given 
in Paragraphs 4.1.2 and 4.1.1. This polynomial is irreducible in L[x]. 

We use the method in Section 5 to deduce an irreducible polynomial of degree £^ in K[a;]. 

7 Appendix 

In this section we state several known and useful facts about fields, polynomials and elliptic curves. 
7.1 Generator of a subextension 

Let M be a field and let K be a subfield of M. Assume M = K(q) is a monogenous extension of K. 
Let L be a subfield of M containing K. In this section, we use a to construct a generator of L over 
K. 

The extension M/L is assumed to be cychc of finite degree d. We also assume that there exists a 
strict subfield S of L containing K, such that every strict subfield of L containing K is included in S. 

Let (Sfc)i^jfc^(i be the d symmetric functions of a over L. These are the coefficients of the char- 
acteristic polynomial of a, seen as an element in the L-algebra M. 

We claim that at least one of these symmetric functions generates L over K. 

Otherwise, all these functions would be contained in S. The field S(q) would then be a degree 
^ d algebraic extension of S. But S{a) contains K(a) so S(a) is M. So M is a finite extension of 
S; and L also since S C L C M. But the degree of M over L is d; and this is greater than or equal to 
the degree of M over S. So L = S. A contradiction. 



14 



M = K(a) 



S(a) 



d 



L 




S 



K 



We notice that the existence of a unique maximum strict subextension S of L/K is granted if 
L/K is finite, Galois and cyclic of degree a prime power. 
We deduce the following lemma. 

Lemma 1 (Subfield generated by a symmetric function) Let M.bea finite field and let Kbea sub- 
field o/M. We assume that the degree ofM. over K is a prime power. Let a be a generator o/M over 
K. Let Ij be a subfield o/M containing K. Let d be the degree ofM. over L. Let be the d 

symmetric functions of a above L. Then at least one among these d symmetric functions generates L 
over K. 

7.2 Some kernel isogenies 

Let K be a finite field of characteristic p and cardinality q. Let E be an elliptic curve over K. We 
denote by cpE E ^ E the degree q Frobenius endomorphism of E. Let t be the trace of (pE- Let O 
be the quotient ring Z[X]/{X'^ - tX + q) and let a be the class of X in O. Let eg : O End(£;) 
be the ring homomorphism that maps a onto (fE- We say that eg is the standard labeling of E. 

Let be a subset of O containing a prime to p integer. We define the kernel of S in E to be the 
intersection of the kernels of all endomorphisms eE{s) for s E S. This a finite etale subgroup of E. 
So it is characterized by its set of geometric points. 

Now let F be another elUptic curve over K and let l : E ^ Fhe m isogeny defined over K. Let 
eF ■ O ^ End(F) be the morphism of free Z-modules that sends 1 onto the identity and a onto ipp. 
For any element s in £) we have 



Indeed, the identity above is true for s = a because l is defined over K. It is evidently true also for 
s = 1. Therefore it is true for all s in O by linearity. 

We deduce from identity (10) that episa ring homomorphism, just as e^;. 

Now let G be a third elliptic curve over K. Let j : F — *■ G be an isogeny defined over K. We 
define eo ■ O ^ End(G) as before. 

Assume l : E ^ F is separable with kernel E[S] where S* is a subset of O containing a prime to 
p integer. Assume j : F ^ G is separable with kernel F[T] where T is a subset of O containing a 
prime to p integer. Then the kernel of j o z, is E[ST] . 



L o €e{s) = epis) o i. 



(10) 



E^^F^^G. 
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Indeed, both the kernel of j o t and E[ST] are etale; so they are characterized by their geometric 
points. 

Now let X be a point in the kernel of j o i. Its image i{x) by i lies in the kernel of j. Therefore it 
is killed by T: forany element t of Tone has ei?(t)(t(x)) = 0^. So L{eE{t){x)) = Oi;' and eE{t){x) 
belongs in the kernel of t. Thus it is killed by S: for any s in S we have eE{s){eE{t){x)) = Oe or 
equivalently eE{st){x) = 0. Therefore x lies in E[ST]. 

Conversely, let x be a point in E[ST]. Let t be an element in T. We observe that e£'(t)(x) is 
killed by S, so it belongs to the kernel of l. Thus i{eE{t){x)) = eF{t){i{x)) = Op- So i{x) is killed 
by T; therefore it belongs to the kernel of j. Thus j{i{x)) = Oq. 

Following Waterhouse [17] we say that an isogeny l : E ^ F whose kernel takes the form E[S\, 
is a kernel isogeny. 

Lemma 2 (Composition of kernel isogenics) Let K.be a finite field with characteristic p. Let E be 
an elliptic curve over K. Let t be the trace of the Frobenius endomorphism ofE. Let O be the quotient 

ring TL\X\j{X'^ — tX + q) and let ee '■ O End(i?) be the standard labeling. Let S be a subset 
of O containing a prime to p integer and let l : E ^ F be the quotient by E[S] isogeny. Let T be a 
subset ofO containing a prime to p integer and let j : F ^ G be the quotient by F\T\ isogeny. 
Then the kernel of j o t is E\ST\. 

7.3 The number of irreducible polynomials 

Let K be a finite field with cardinality q and characteristic p. Let d > 2 be an integer. We are 
interested in the number of degree d irreducible unitary polynomials in K[a;]. We recall and prove a 
very classical lower bound [11, Ex. 3.26 and 3.27, page 142]. 

Let n be an algebraic closure of K and let L be the unique degree d extension of K inside f2. Call 
Qd the set of generators of the K-algebra L. This is the set of all a in L such that K(a) = L. Let 
Td be the set of degree d unitary irreducible polynomials in K[,'c]. Let p : Qd ^ Tdhe. the map that 
to every generator a associates its minimal polynomial. Every polynomial P{x) in 1^ has exactly d 
preimages by p, namely its d roots. 

To enumerate the degree d unitary irreducible polynomials, we just count the generators of L 
over K. Let a be an element in L. If a does not generate L, then it belongs to a smaller extension 
of K inside L. Therefore the complementary set of Qd in L is the union of all strict subfields of L 
containing K. These subfields are in correspondence with the strict divisors of d. To any such divisor 
D we associate the unique extension of K with degree D. It has q^ elements. The set of strict divisors 
of d is a subset of {1, 2, 3, 4, ... , [^J }. So the number of elements in L that do not generate it over K 
is upper bounded by 



q + q^ + q^ + q^ + --- + q^^^ 




The cardinality of Qd is thus > q'^ 



_i_ (^qd/"^ _ \^ and the cardinahty of Td is 



> ^ 1 (a<^/2 - 1). 

- d diq-iy^ ' 



We deduce the following lemma [11, Ex. 3.26 and 3.27, page 142]. 
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Lemma 3 Let Vibe a finite field with q elements. Let d > 2 be an integer. The density of irreducible 
polynomials among the degree d unitary polynomials is 

Let h be a degree d extension of K. The density of generators of the K-algebra L is > 1 — 



If d > 2 we deduce that the later density is > 1 — = l^^- So > | si g > 3. 

If g = 2 and (i > 4 then this density is > 1 - 2 x 2"^ = 

If (/ = 2 and d equals 2 (resp. 3) then this density is ^ (resp. |). 

If d = 1 then this density is 1. 

We deduce the following lemma. 

Lemma 4 (Density of generators) Let K. be a finite field with q elements. Let d > 1 be an integer 
The density of irreducible polynomials among the degree d unitary polynomials is > 

Let li be a degree d extension ofK.. The density of generators in the K.-algebra L is > ^. 

7.4 Density of elliptic curves with an ^-torsion point 

Let K be a finite field with q elements and let £ be a prime integer. Lenstra [10] and Howe [7] give 
estimates for the density of elliptic curves over K whose number of K-rational points is divisible by 
i. In this section, we recall what these authors mean by density and we explain why this density fits 
with the uniform density on Weierstrass curves. 

We call SCK) the set of K-isomorphism classes of elliptic curves over K. The K-isomorphism 
class of a curve E/K. is denoted [E]. One defines a measure on the finite set <?(K) in the following 
way: the measure of a class [E] is the inverse of the group of K-automorphisms of E. So the measure 
ofasubsetS'of £:(K) 

lE]es ^ ' 
Lenstra and Howe prove that the measure of the full set i?(K) is q. 

Now let >V(K) be the set of Weierstrass elliptic curves over K. We denote by //w the uniform 
measure on this set: the /xyv-measure of a subset of W(K) is defined to be its cardinality. This is a 
very convenient measure. In order to pick a random Weierstrass curve according to this measure, we 
just choose each coefficient ai, a2, as, 04, qq at random with the uniform probability in K and we 
check that the discriminant is non-zero (if it is zero we start again). 

Let 7 : >V(K) ^ (K) be the map that to every curve E associates its isomorphism class [E]. 
This is a surjection : every elliptic curve over K has a Weierstrass model over K. 

Let A(K) be the group of projective transforms of the form 

{X -.Y -.Z)^ {u'^X + rZ : u^Y + su'^X + tZ : Z) 

where u G K* and r,s,t G K. This group acts on the set >V(K) of Weierstrass elliptic curves over 
K. Two Weierstrass elliptic curves over K are isomorphic over K if and only if they lay in the same 
orbit for the action of ^(K). Further the group of K-automorphisms of a Weierstrass elliptic curve is 
isomorphic to the stabilizer of E in A(K). 
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So the orbit of a Weierstrass curve £^/K under the action of A(K) is the fiber 7 ^([-E]) and the 
cardinahty of this fiber is the quotient 

#A(K) 
#AutK(^)' 

Therefore if 5 is a subset of £(K.) and if T is its preimage by 7, then the measures of S and T are 
proportional 

Aiw(r) = #A(K) X 

where 

In particular, if we want to pick a random K-isomorphism class of elliptic curve according to the 
measure /xg, it suffices to pick a random Weierstrass elhptic curve according to the uniform measure 

We now can state a special case of the main result in Howe's paper [7]. 

Theorem 2 (Howe) Let q he a prime power and let K a field with q elements. Let £{K.) be the set 
ofK.-isomorphism classes of elliptic curves over K. Let fig be the measure on this set defined by Eq. 
(11). Let £ be a prime integer not dividing q — 1. The isomorphism classes in £(K.) of elliptic curves 
having a K.-rational point of order Iform a subset of density 

1 

£-1 

plus an error term bounded in absolute value by 

We deduce the following corollary. 

Corollary 1 (Density of elliptic curves with an f-torsion point) Let q be a prime power and let K 

a field with K elements. Let >V(K) be the set of Weierstrass elliptic curves over K. Let /xyv be the 
uniform measure on this set. Let £ be a prime integer not dividing q — 1. The density of Weierstrass 
curves having a K.-rational point of order £ is 

1 

£-1 

plus an error term bounded in absolute value by 

M(£ + l) 
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7.5 Fast composition 

The following theorems were recently proven by Umans and Kedlaya [9]. 

Theorem 3 (Kedlaya and Umans) There exists a deterministic algorithm that on input a finite field 
K = (Z/pZ)[?/]/(a(y)) with q elements and three polynomials f{x), g{x) and h{x) in K.[x] with 
degrees bounded by d, outputs the remainder f{g{x)) mod h{x) at the expense ofd^~^°^^^ (log q)^~'^°W 
elementary operations. 

Theorem 4 (Kedlaya and Umans) There exists a deterministic algorithm that on input a finite field 

K = (Z/pZ)[?/]/(a(y)) with q elements, a degree d irreducible unitary polynomial f{x) in K[,t], 
and a degree ^ d — 1 polynomial g{x) in K.[x] such that the class 7 of g{x) modulo f{x), generates 
the K algebra K[x]/(/(x)), outputs the minimal polynomial h{x) G K[x] 0/7 at the expense of 
c;i+o(i)(logg)^+''(^) elementary operations^ 

The following corollary of Theorem 3 is particularly useful. 

Corollary 2 There exists a deterministic algorithm that on input a finite field K. = (Z/pZ)[y]/(a(y)) 
with q elements and two rational fractions F{x) and G{x) in K.{x) with respective degrees dp and 
da, outputs the composition F{G{x)) = u{x)/v{x) where u{x) and v{x) are coprime polynomials, 
atthe expense of {dFdG)^'^"^^\logq)^'^°^^^ elementary operations. 

We first notice that the problem is trivial if one of the two fractions has degree 1. Composing F 
and G with rational linear fractions we may assume that F{0) = G{0) = 0. We compute the Taylor 

expansions at of either fractions and we compose them using the algorithm in Theorem 3. We 
recover the numerator u{x) and denominator v{x) of the corresponding fraction using fast extended 
EucUd algorithm. 
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